Acra is designed to provide optimal security model out of the box, as well as to provide a number of ways for controlling (and sometimes programmatically reconfiguring) some of the security and performance properties.

Strategies for increased security

Wholecell vs Injectedcell

Injectedcell (--acrastruct_injectedcell_enable CLI parameter) can be used as a means of security through obscurity: you can hide AcraStruct in a large JPEG picture, and store it, thus increasing the complexity of locating the sensitive data.

Zones

If you have a lot of resources to run Acra on, or a small number of users, you can map each user to a separate Zone. This will make each user compartmented key-wise.

Strategies for increased performance

Some performance metrics

During the feature freeze of 0.75 and when we were researching insane memory leaks, we did a few performance tests to understand how much performance penalty Acra will impose on the full roundtrip to the app and back. We wrote 10k rows, requested 10k requests:

-

read

write

without acra

6.263646909 sec

36.397444647 sec

without zone, no encrypted records

21.764239688 sec

-

without zone, all encrypted records

34.915005008 sec

70.29645783

with zone, no encrypted records

22.799269264 sec

-

with zone, all encrypted records

37.159501001 sec

74.951257645 sec

The goal was to never exceed 10x performance penalty (typical for using interpreted languages with random quality libraries and poor concurrency). Writes are 2x slower, reads are 6 times slower max. It is worth mentioning that compiling Themis while changing the underlying cryptography backend to some more robust implementations of crypto primitives can significantly improve Acra performance.

Wholecell vs Injectedcell

Performance-wise, wholecell is much faster than injectedcell because it doesn't require scanning the whole byte stream.

If you're using injectedcell mode, you might want to limit the length of your database response - the longer it is, the longer it scans for AcraStruct.

Zones

The more Zones and Zone keys you've got, the longer it takes to scan through the database response.